An information disclosure vulnerability was discovered in BouncyCastle, a Java library which consists of various cryptographicalgorithms. The Galois/Counter mode (GCM) implementation was missing aboundary check that could enable a local application to gain access touser's private information.

For Debian 7 "Wheezy", these problems have been fixed in version1.44+dfsg-3.1+deb7u2.

We recommend that you upgrade your bouncycastle packages.

Further information about Debian LTS security advisories, how to applythese updates to your system and frequently asked questions can befound at: https://wiki.debian.org/LTS

It was discovered that the Dovecot email server is vulnerable to adenial of service attack. When the "dict" passdb and userdb are usedfor user authentication, the username sent by the IMAP/POP3 client issent through var_expand() to perform %variable expansion. Sendingspecially crafted %variable fields could result in excessive memoryusage causing the process to crash (and restart).

For the stable distribution (jessie), this problem has been fixed inversion 1:2.2.13-12~deb8u2.

We recommend that you upgrade your dovecot packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/

The Dovecot update issued as DSA-3828-1 introduced a regression, thisupdate reverts the backported patch. Further analysis by the Dovecotteam has shown that only versions starting from 2.2.26 are affected. Forreference, the original advisory text follows.

It was discovered that the Dovecot email server is vulnerable to adenial of service attack. When the "dict" passdb and userdb are usedfor user authentication, the username sent by the IMAP/POP3 client issent through var_expand() to perform %variable expansion. Sendingspecially crafted %variable fields could result in excessive memoryusage causing the process to crash (and restart).

For the stable distribution (jessie), this problem has been fixed inversion 1:2.2.13-12~deb8u3.

We recommend that you upgrade your dovecot packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/